Your Company Runs on Data – Is It Safe?

Data is at the center of the digital transformation underway in today’s organizations. The speed with which relevant and useful information and business intelligence can be extracted from the overwhelming flow of data is what sets companies apart from their competition in today’s fast moving digital economy. Yet many organizations find themselves falling behind when it comes to protecting the very data on which their companies run. While 77 percent of CEOs surveyed by Gartner in 2015 agree that digital business is bringing in new types and levels of risk, 65 percent of them believe their risk management is not keeping up.

Much of the perceived threat to a company’s data is from outside the firewall through cyber-attacks. There’s no shortage of media stories about external malware, ransomware and data breaches. However, according to the 2016 Cyber Security Intelligence index, IBM found that 60 percent of all attacks were carried out by insiders. Just this past April, SunTrust had over 1.5 million customer records stolen by an employee who tried to sell them to criminal elements on the Dark Web. Fraud is also a significant problem, costing organizations an average of five percent of annual revenue, according to the Association of Certified Fraud examiners.

This makes it critical to ensure that your data is protected by a comprehensive SAP security architecture inside the firewall. This framework must not only guard your data, it must be sustainable and adaptable as your business changes to navigate the ebbs and flows of the digital economy.

Securing your Data – Balancing Access, Risks and Controls

Securing your company’s data is not just about locking it down. It must be open and usable to those who need access to enter and use the data to make decisions. This creates a balancing act of who gets access to data and can run certain transactions. Too much access increases risks, too little could paralyze an entire organization.

Therefore, roles must be carefully reviewed to spot potential risks. You would not want an employee in purchasing whose role is to manage the vendor master list to also have the authority to pay vendors. It would be very easy for someone to create a vendor and pay themselves. This means developing a clear segregation of duties (SoD) and analyzing roles to prevent SoD conflicts.

However, there are times when users will need expanded access and permissions outside their roles, which will create SoD conflicts. This could be something as simple as an employee who approves purchase orders going on vacation or something major, such as a reorganization. Mitigating controls must then be put in place with expiration dates and regularly monitored to offset these types of risks.

There will also be emergencies that require employees be given access permissions outside their roles. It may be to outside consultants to fix code problems. This requires a well-developed emergency access management (EAM) plan to address and monitor the risks that may arise when dealing with what are often called ‘fire call’ situations within the SAP environment.

Even with the proper role, access segregation and meaningful controls in place, these SAP security basics must run smoothly day in and day out, keeping process owners informed and adaptable as the organization changes. This poses a big challenge to SAP security and IT staff.

Making Security Sustainable and Adaptable – People, Processes, Skills

The dynamic nature of today’s organizations means that your SAP security architecture must not be a collection of one-off actions. Changes in roles and responsibilities are the new normal and any significant shift can create a security risk. This means the SAP security team must keep up with these changes and work with process and systems owners to mitigate risks and potential SoD conflicts. Mitigating controls also must be constantly monitored as people move around the organization.

This constant change puts tremendous pressure on SAP security and IT teams. Not only are they managing a nonstop stream of user change requests, the increasing number of roles and changes introduces complexity that can cause security to fall behind. These changes result in problems like subtle access creep, which increases the likelihood of users executing transactions outside their job description or authority.

This dynamic and challenging environment is further compounded by IT staff shortages, lack of security skills and turnover, making it imperative that your security framework be supported by well defined, repeatable and teachable processes. Automating these processes and related reports is also vital. Very often, security is hampered by staff pulling manual reports and being buried under a document-based system that only hampers effective data security. Conflicts, violations and even breaches might go unnoticed for months.

Reorganizations, mergers and acquisitions along with introducing new technology, tools and applications, not to mention a constantly changing regulatory environment, means that your SAP security architecture and team must also be adaptable. Even a very helpful tool, such as SAP Fiori, requires a systematic review of roles and permissions. Trusted processes, automation tools, continuous improvement, adequate staffing and ongoing training thus become the critical success factors of a secure, sustainable and adaptable SAP security architecture.

Ben Uher manages the SAP Security and Controls Practice at Symmetry where he leads a team of permanent Consultants in delivering SAP Security and GRC offerings to global organizations. His deep knowledge in everything SAP Security and GRC related has come from the opportunity to work with over 150 Organizations running SAP throughout various cycles of their implementations. Variation in industry, sector and size has provided a breadth of opportunity and experience in almost every facet of SAP technology spanning HANA, Fiori, ERP, BW/BI, HCM and SCM amongst others. Most importantly, Ben is driven based on results and continually strives to provide exceptional support for the organizations that rely on him and his team as trusted advisers for SAP Security and GRC support.